First of all, the syntax of this configuration file is
far from being perfect. If you've got some better ideas just drop me a line...
is the default configuration file for This file may contain several sections
and comments. Each section begins with the section name and the left curly
brace and ends with the right curly brace in a single line. A comment starts
with a hash mark at the beginning of a line. Blank lines are silently ignored.
The following sections are valid: and The sections and have all a very similar
syntax. Each line starts with an identifier followed by one or more blanks and
one or more section specific entries or defined identifiers separated by
blanks. A valid identifier is case sensitive and consists of letters, digits,
underscores and hyphens. If two or more identifiers in one section are equal,
the corresponding entries are merged to the first identifier. Hence, it's not
possible to overwrite previously defined identifiers. As a result the order of
the section entries is irrelevant and it's possible to define a section more
than once. Include other configuration files. Each line in this section,
enclosed in quotation marks ("), must be a valid filename. The contents
of this file are added to the actual configuration file and each file should
contain at least one section (a comment only file is not really useful...).
Include other configuration files but ONLY in IPv4 mode (WITHOUT -6 switch to
uif). Otherwise equivalent to the include section above. Include other
configuration files but ONLY in IPv6 mode (WITH -6 switch to uif). Otherwise
equivalent to the include section above. Set some global settings. Each line
in this section starts with one of the following identifiers followed by one
or more blanks and the desired value: and If there are multiple definitions of
one entry the last definition is stored. A valid default log priority (see The
default log prefix. Each iptables logmessage starts with this prefix. The
default limit value for logmessages (see The default burst value for
logmessages (see The default limit value (see The default burst value (see The
default prefix for accounting chains. This section defines all needed
services. A service description starts with the protocol (see followed by
parameters in parenthesis. Most protocols don't need any parameters. The only
exceptions are tcp, udp and icmp. The tcp and udp parameter defines the source
and destionation port(-range). The source and destination ports are separated
by a slash (/) and portranges are separated by a colon (eg. tcp(123:333/99):
tcp protocol, source-portrange 123-333, destination port 99). Empty source or
destination ports are expanded to 1:65535. The icmp protocol parameter must be
a valid icmp type (see iptables -p icmp --help). This section defines all
needed networks and hosts. A network description starts with a valid IPv4
address (dotted quad), an optional netmask in cidr notation (number of bits)
or an optional MAC-address (with a prefixed equal sign (=). Some valid entries
are: 127.0.0.1 127.0.0.0/8 192.168.0.1=00:00:00:00:00:FF. This section defines
all needed (physical and bridged) interfaces (eg. eth0, lo, ppp0). This
section defines all needed numerical (decimal) values for packet marking
purposes. Due to better partitioning of the packetfilter, rules can be split
into these sections. Internally they are equivalent and contain all rules. As
an exception to all other sections the order of entries in these sections is
important. The default policy for the chains INPUT, OUTPUT and FORWARD is DROP
(see and it's not possible to change this. Each line in in this section begins
with or followed by '+', '-' or a mark identifier enclosed in curly braces
(or, in case of fw followed by '>'). The identifiers and define rules for
incoming, outgoing and forwarded IP-packets. Each packet with an INVALID state
(see is matched by and The lines starting with and define rules to modify the
source or destination address or the destination port.
Note: The
identifiers nat and masq are non-operational in IPv6 mode. They simply get
ignored as NAT and Masquerading are not supported by the IPv6 protocol. The
plus and minus signs specify the type of the rule: '+' accepts matching
packets and '-' drops them. As a special case the identifier out and fw accept
the greater than (>) sign to modify the MSS depending on the PMTU (see A
very basic ruleset may look like this: This allows every outgoing traffic and
rejects all incoming connections (because of the default policy). To be more
specific, each line may contain several parameters. Each parameter starts with
a single character followed by an equal sign (=) and one or more previously
defined identifiers (in the corresponding sections) separated by commas. The
following parameters are valid: The source address or network. Append
"(4)" or "(6)" to the network name to make this rule apply
to IPv4 or IPv6 only. The destination address or network. Append
"(4)" or "(6)" to the network name to make this rule apply
to IPv4 or IPv6 only. The input interface. The output interface. The physical
input interface (only useful when used with bridged interfaces). The physical
output interface (only useful when used with bridged interfaces). The service
description (protocol). The mark field associated with a packet. The the new
source address in nat rules. Supported in IPv4 mode only. Ignored in IPv6
mode. The the new destination address in nat rules. Supported in IPv4 mode
only. Ignored in IPv6 mode. The the new service description in nat rules. This
is only valid with tcp or udp packets. This parameter sets some 'flags'. A
flag definition starts with the flag identifier and optional parameters in
parenthesis. Valid flags are: - Logs matching packages to syslog. The given
parameter is included in the log entry. The number of logged packets and the
loglevel can be set in the sysconfig section. - Only valid in DROP rules. This
is used to send back an error packet in response to the matched packet. The
default behaviour is a packet with set RST flag on tcp connections and a
destination-unreachable icmp packet in every other case. Valid parameters are
listed in in the REJECT section. - Create an accounting chain for all matching
packages and possible responses. The optional parameter is a part of the name
of the chain. - Limits the number of matching packets. The default values are
set in the sysconfig section. Other values can be defined with the optional
parameter. The first entry sets a new limit and the second parameter
(separated by a comma (,)) sets the burst value (see Limit and Burst in
sysconfig section). It's possible to invert the identifier of one of following
parameters - if it expands to ecactly one object - by prepending a exclamation
mark (!): (eg.: s=!local p=!http). Configuration files are located in
/etc/uif. There is a sample configuration in
iptables(8) uif(8) This manual
page was written by Jörg Platte <joerg.platte@gmx.de> and Cajus
Pollmeier <pollmeier@gonicus.de>, for the Debian GNU/Linux system (but
may be used by others).